Slashdot Mirror
Wells Fargo Web-Enables ATMs
smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""
What was wrong with OS/2 atms?
However, come to think of it, a lot of those things would look better with that Aquarium Screensaver. I think I'll click on the ok download button next time.
Don't blame Durga. I voted for Centauri.
They're going to use Windows Embedded, not Windows XP. Two completely different code bases.
Just because one has security issues does not mean the other will too.
Real programmers can write assembly code in any language. -- Larry Wall
What could possibly go wrong?
I RTFA and have no idea why they did this. OS/2 is not EOL'ed yet. Methinks someone did a snow job on thiese guys.
Help fight continental drift.
Gretings, I am Govermet Minster of Nigeria, and if you send me your PIN you wil share 20% of 1.3 milion American US dolars that I must retrive. THis wil only take a moment since you are already at your ATM.
"We want to make sure our ATMs are integrated with every other channel so when I do a deposit in a [branch] I want to be able to go to [an] ATM immediately and see that deposit"
I do that regularly anyway. An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS.
these are the type of applications where the OS would be really tested. And finally who will be responsible if people loose precious money because of some kid running a 10 line worm? But did they have an option? No. The corporates have to embrace technology to have the edge in competition. And for such an application what will they choose? Windows which is known to have security holes or Linux which might have unreported flaws and methodologies that is patented my Microsoft?
fuvoo: watch something
Does anybody know why the ATMs would be any more useful because they have been web-enabled? Perhaps people wish to do online banking at the kiosk?
Then again, it could just be for ads.
It would be cool if it didn't suck.
How else could OS/2 download the latest and greatest malware? http://it.slashdot.org/it/05/03/05/196247.shtml?ti d=172&tid=218/
Comment removed based on user account deletion
I'll be moving away from where there are wells fargo's fairly soon anyway, so I don't think I'll have to worry about "hacked" atms because they run windows :)
Good thing I don't bank with them...otherwise I'd be switching banks right about now.
Its kind of like going into a plane...if I looked into the cockpit and saw Windows booting, I'd walk straight off the plane and ask for my money back.
NEVER NEVER trust anything mission-critical of financial based to something as problem-prone as a Microsoft product.
This is not a great move. Try and search for 0S/2 exploits even with Google. You're not going to find tons. I sure don't want to use an ATM running Windows and IE where someone that use the security expoit(s) of the month on it.
... darn I hope this gets submitted because my browser crashed when all the results came back.
Search on Windows security exploits and display the results and oh
to exploit one of the holes to get free cash, or even better, install firefox on the ATM?
Now if they aren't one a secure network, or it gets cracked somehow (even an inside helper) then it could be like that Richard Pryor thing in Superman II (or was it III?) where he pilfers a cent here and there and nobody's the wiser until he pulls up in the parking lot in an expensive sportscar on a cheapass wage.
A feeling of having made the same mistake before: Deja Foobar
They can't all be fake, and I have a good feeling about this one.
This makes no sense, ATMs are already all 'on a network' - what more do they want? why would a 'Windows infrastructure' be better for updating them? why do you even need windows (lowercase) in an ATM - a device with only one program and one thing on screen at a time?
This comment does not represent the views or opinions of the user.
It's good too, because I needed a place to see MSNBC tickers and movie trailers and also get money at the same time.
Now that this has rolled out on all Wells Fargo ATM's, they will allow you to watch full movies on them and will be opening concession stands. If you pull up to an ATM, and the car in front of you has the windows all fogged up
or else!
I'm pretty sure that they encrypt the data traffic to and from the ATM machine :) , however making it easier for hackers/crackers to listen in to the communication sounds like a really bad idea to me.
/. to tell us all about this.
Just because you have a safe car, it doesn't meant that you drive it without the safety belt on. It sounds to me that they're almost asking for it.
I'm sure we have security experts here on
-- This SIG is encrypted
The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations.
Am I the only one to get that each ATM is shared between two branches?
How are those Windows patches going to be deployed? Hmm... Wonder if they have a usb accessible to download an XML dump of my transactions... Wonder if auto-run has been turned off...
ATM's don't need a fancy gui... just a keypad with a few buttons would surfice. Kinda reminds me of the electronic voting problems with Windows, while in India, they used embedded computers, hard-coded, four buttons to a pad, without any problems.
web != tightly controlled internal network
web = subset of the internet connected through hyperlinks
The local AMC 24 multiplex movie theatre self serve movie ticket terminals run Windows 98. There was one stuck at its boot screen at one point. Also I have seen the familair blue several times. These machines handle Debit transactions with a PIN number and credit card transactions without a PIN.
Security does not seem to be a big issue on closed networks. At least I hope it is a closed network.
If you turn on the networking, you can bet a lot of the SMB-based Windows hacks would work on OS/2 because it was the same codebase. Nobody can be arsed to check tho.
an IP address for me?
Find a bank doesn't have IT department getting sort of bribes from Microsoft and switch to it.
Its easy. Go to bank, tell you want to close your account, if you are asked "why" in form etc, write "windows"
Bad Idea (TM)
If it isn't broke, then don't fix it.
si vis pacem, para bellum..."if you wish peace, prepare for war"
Does anyone else remember the end of Sneakers? Because that's what this reminds me of. I'm just thinking about the potential news headlines...
"Wells-Fargo reportedly went bankrupt yesterday. Company spokesman: 'The money... it just disappeared...'
In other news, the EFF is reporting record donations!"
pb Reply or e-mail; don't vaguely moderate.
While it's unlikely that these machines are actually on the internet, but if they are it's probably not a big deal anyways. They'd likely be using some kind of hardware VPN, and even if they weren't they are most likely shutting off all external ports other than their own software, making it no more vulnerable than any other OS they might choose. No open ports, no way to exploit it.
If you need web hosting, you could do worse than here
A couple of weeks ago I saw an ATM that had crashed. It was running Netscape on some version of Windows.
Surely enough, it was made by the same manufacturer who f***ed up US voting machines. I do have some pictures if anyone is interested.
where's all that Karma?
If the atm systems get hacked because of this move, could the customers sue for losses and punitive damages? after all, useing windows on a banking system is like leaveing the door open at Fort Knox, inviteing the crime.
am I the only one who finds the new Wells Fargo ATM key response time to be laggardly?
After I enter my pin, the beep sound and the asterisk that's displayed take so long that I think i've miskeyed, so press again getting a double entry which i have to cancel and slowly and carefully retry.
Is it because of being Windowized, or just bad programming? The old OS/2 ATMs responded instantly.
Stolen from Fark.
"Wells Fargo Web-Enables ATMs. Hilarity ensues."
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
http://www.theregister.co.uk/2004/09/06/ams_goes_w indows_for_warships/
Security?
I went to the hole in the wall (ATM) and it was displaying a windows taskbar, a dos window with some process running with a dos full stop sequence progress meter and another McAfee window - I asked in the bank and they said it had been on and off all morning and an "engineer" was trying to fix it.
/. article on UK banks going ove to windoze but I never thought i'd see the day.
;-)
I remember a
Was I ever laughing.
I wonder if my atm card has a virus by now.
PS It was Bank of Scotland
Well I guess an OS and their money are easyily restarted.
Great. As if waiting for some jerk to
- Check his balance
- transfer funds
- buy stamps
wasn't bad enough, now I have to wait for him toOverrated / Underrated : Moderation
I nominate "The Windows-based infrastructure enables remote upgrades" as the loaded statement of the year. Anybody care to take a guess as to who will be writing "upgrades" for these things?
I used to work for IBM in OS/2 TCP/IP support. People would be amazed at how much OS/2 is still out there. Banking, industry, CIA, NSA, Vatican Bank, etc. Heart/Lung machines, ATM machines and the machines that make fritos. When OS/2 went down at friot-lay, no more fritos...not good times. I'm sad to see it go, it was great for apps such as these.
ATM's + Internet = Free money for hackers
Seriously, [virtually] every computer system has a security flaw, which will be found if enough people are interested. The only way to really secure a system is to keep it physically unreachable. Now if they connect their ATM's to the internet, the hackers will find their way inside in a matter of days, if not hours.
The possibilities it opens are enormous - stealing PIN's, account information, or even actually withdrawing money from the ATM!
1's and 0's should be free.
The Windows-based infrastructure is designed to allow Wells Fargo to update and add services such as new languages and envelope-free deposits to its entire network remotely.
Umm... Wouldn't envelope-free deposits require an on-site hardware shift anyway? That is, unless Windows Embedded now runs rapid prototype machinery.
Sounds like they're running WtFXML.
The ______ Agenda
..with home PCs.
We put Windows on them and gave them all high speed net access... it wasn't the most successful experiment, and they weren't stuffed full of cash.
They weren't helpful enough, Well Fargo ATM customers can now look forward to the ATM Assistant(TM)!
"Hi, I'm Clippy, would you like help:
Depositing Funds?
Withdrawing Funds?
Transfer your entire balance to r00m4n14n d00d?
Selecting the proper brick to smash my keyboard with?
A feeling of having made the same mistake before: Deja Foobar
Now the question to answer is: Whose hands were greased?
Blue Screen Of Debt
I mean, it's not like the bank is going to provide keyboards, mice, IE, open network connections o the rest of the world, etc., etc.
Windows is the OS that a very specific application runs on. That's it.
It won't be running, say, MS SQLServer.
Wells Fargo has been in business for a while. I'm sure it's got a competent staff looking at this. I'm sure it'll be looking for exploits. I'm sure there'll be a significat security infrastructure.
668: Neighbour of the Beast
OS/2 does not have the same codebase you jew
Search on Windows security exploits and display the results and oh ... darn I hope this gets submitted because my browser crashed when all the results came back.
Let me guess, you ran the search in Internet Explorer?
Stasis is death. Embrace change.
Looks like I cancelled my Wells Fargo account just in the nick of time...
Does this means more pics like these:
Runtime error
Bluescreen
I gave up with the idea of an useful sig...
"An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS."
"It's" means "it is".
And a tidbit about some new features:
What are the odds that some idiot will name his mutex ether-rot-mutex!
A few of the banks downtown where I live all switched over to Windows based ATMs about a year ago. Since then they crash several times a week, or just plain dont work. The images posted above is VERY VERY common, and i've had a few days that i've had to try *four* ATMs before I found one that wasn't crashed.
JFS and LVM came from OS/2 Warp 4.5x. (OS/2 code, not from the AIX versions) Enjoy your dead code. :)
Although I am pleased to see many posts insulting the change instead of the usual DEAD DEAD DEAD! posts such as yours.
Yeah, I'm on an OS/2 4.52 workstation (a.k.a eComStation 1.2) which happens to be sitting next to a pile of Slackware, CentOS and even a couple OS/2 based web servers.
I do agree that I'd trust a Linux ATM vastly more than a WinTurd one.
pigfukr
It's not intended to increase security. There have already been people who create fake ATM's. A person comes up, puts the card in the mag stripe reader, and enters a 4 digit pin, when suddenly the machine issues a "error" and ejects the card. No matter the level of patience, the person eventually gives up and goes away. An ATM that has a familiar and trusted "look and feel" might be made into a safe place to do business one might not want to do over the web.
My guess is that this isn't an attempt at increasing security at Wells Fargo ATM's but of being able to offer web ads while your transaction is in progress. In addition they'll probably add a menu of things you can buy and have sent to you. Additionally, Wells Fargo gets ad revenue and can start sending you spam to your physical mailbox (which is not a legal problem since you have a business relationship with them).
"New Baldness Cure! Nervous about using the web? Go to an ATM, put your card in, and choose option 4 from the services menu! It couldn't be easier!"
That can't mean they have more than 3000 in total, as that's only around half of 6046. Even in marketing-land where the margins are bigger, you'd need at least 5000 out of 6000 to claim "nearly all". Logically, this means they must have more than 3000 online stations in each of their 6046 branches. That's over 18 million Windows licenses. Some sales guy at MS just got a new yacht.
Chernobyl 'not a wildlife haven' - BBC News
All t3h moneys are belong to us!!!
You have no chance to survive, make your withdrawal.
HA, HA, HA,
I've seen many ATMs replaced with Windows and for the most part, they crash several times a week. The fact that their uptime is so minimal makes me wonder why they charge fee's anymore. There is no convience when you have to use an ATM to find it crashed and then having to wander into the bank anyways.
This is coming from the same company that spilled all of my personal information (SSN, account numbers, home address, phone number, etc.) when some of their computers were stolen last year. They then had the audacity to use this as a reason to advertise their credit-monitoring/fraud-prevention services. I can't imagine how bad this would have been if they were actually my bank.
Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?
I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.
And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Windows-based, web-enabled (does this mean on a public network?) ATMs.
Dear God. The shit has hit the fan. Head for the hills!
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
That's great. They got with the program and screwed all their customers.
And in a not unrelated story: Hacker takes 3 minutes to get your cash
--
Linux VPS Hosting you can Bank On
And here I was thinking that security by obscurity was a bad thing...
I've been using ATMs since they were first available and I use them quite a bit. I have never had a single penny lost. I've not known anyone to lose a penny. I'm sure it has happened, but I bet the incidence is low.
http://www.busyweather.com/
now they'll finally test the old adage "No one ever got fired for choosing Microsoft".. when someone gets really fired for choosing Microsoft. Wonder if they'll hold MS responsible for security breaches?
meh
I think Wells Fargo is big enough and serious enough to know the risks and do all they can to stay on top of the security of their ATMs I have used these "web-enabled" ATMs and they are a lot more usefull than the old ones. You can set a one-button quick cash that remembers if you want 20, 40, 60... and if you want a reciept. I have rarely seen them down, and never with an embarrasing error box or BSOD.
What's the big deal? I know of at least one other bank that's had NT based ATMs for years.
Understanding is a three edged sword. - Ambassador Kosh Naranek, Babylon 5
"The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations."
How is it that less than half is considered nearly all? Or are they stretching their ATMs so that it is so large that it is physically touching more than one branch, or just building branches next to eachother and throwing an ATM in between?
The math is appaling.
All your searching needs (and free money!) - 4Lancer.net
Now take out the ones that rely on the end user to download and install a trojan of some sort (which knocks out everything IE-related), those that have been patched and those that are blocked by the firewall.
How's your list now ?
Web Enabled is a misnomer. The so-called "Web" ATMs just use an HTML layer for layout. The actual transaction is communicated through another layer.
All your money belong to us!
You can hold down the "B" button for continuous firing.
> Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.
Heh.. so after some 15 years someone at Gartner finaly figured OS/2 was good for something?
It's amazing one can defend Microsoft at this point based on the fact that their big security disasters have drowned out the attention given to their small ones. In this case security on their home systems is so bad it apparently makes the security on their server systems seem not so bad by comparison.
Well, it's still bad compared to anything else. The NT series had a pretty awful security reputation before the current spyware epidemic started, and they've earned a poor security reputation completely apart from the spyware problems the home users have experienced. Microsoft's given a lot of lip service to the problems but but problems are still happening.
Most cinema ticketing systems run on Windows (some using a customised Access database).
The public terminals run windows as well. I have seen some that were designed to take cash, however they were not reliable to be used for cash sales)
I would be more worried about entering my pin using an on screen keyboard where it would be easy to see what is being typed.
Different banks.
Don't worry about it. If your bank details get leaked and all your money stolen, your identity assumed by terrorist and your whole life ruined...
You can always claim $5 from Microsoft.
Wow, it's almost worth it!
No open ports, no way to exploit it.
Until someone figures out a hole, bug or crash in the multimedia interface itself that lets them install a keylogger...
Oh, but that's silly. How could someone with only physical access to a machine find out a way to compromise it?
I hope this new hardware and software comes with a free 60-day trial of norton antivirus... I have a feeling itd be secure then...
Run Ad-Aware
Run Spybot
fight ticket for parking meter that expired while you went through the windows routine at the atm
Rinse
Reboot
Repeat
Get cash?
Barring PEBKAC issues Windows 98 is actually pretty secure on its own. As long as they weren't running IIS or being used by lusers for email/web bullshit those ticket terminals could probably be run safely on the internet.
Why isn't a propriatary system good for a single use device. its like putting Linux on watches.
who was the genius that came up with that idea of buying windoze based atm's - I came across one in a bank a while back and it had the old blue screen of death. ya the embedded kernel must be better than the desktop one.
Sweet. Someone mod this up.
All your searching needs (and free money!) - 4Lancer.net
Really, how hard would it have been to go to a more-secure os/browser combination? Certainly wouldn't have been more expensive...
--phixxr
ungggghhhh
Oh, but that's silly. How could someone with only physical access to a machine find out a way to compromise it?
That deserves at least a +3 funny.
The higher the technology, the sharper that two-edged sword.
They should of hired a team of programmers and researchers to design a OS specifically talored to the task of a ATM. Then sold it to other banks at half the cost of Windows.
They don't do this with all these fly-by-wire(night), computerized airliners...or are they? I wouldn't want to see the BSOD actually mean it.
Except they won't have physical access to the actual machine so they can't insert floppy disks and CD-ROMs to get their malicious code on to the machine itself. They can just point and sputter in the likely cludgy interface with whatever minimal input device they're allowed.
is "playing leapfrog with a unicorn"...
--- Asking inconvenient questions for over 30 years...
I still wonder why companies don't use BSD for things like this. Sure, they could use Linux, but it then there's all the compliance with the GPL and such. With OpenBSD touting security so much and NetBSD able to run on my dead-squirrel-in-a-cardboard-box machine, they would seem like an ideal choice.
When you look at the state of the world, how can you not become a radical, liberal anarchist?
How can you say this with a straight face: Just because one has security issues does not mean the other will too ? Do you actually look forward to a keylogger on the ATM you use?
you had me at #!
it just has to be set up. Cisco routers can be upgraded remotely. Just as long as there is some sort of connectivity between the ATM and the banks systems then a program can be written to enable remote administration.
I once (briefly) attended a college which had windows web-kiosks in nearly every building. The super had done his job right, and they were locked up tighter than a gnat's ass. All you had for input was a trackball and one button, and the system started on the university webpage.
I say this to illustrate the excellenet security inherent in the windows platform: I owned that system within five minutes of touching it, without adding any media.
A windows-based ATM will be hacked, and probably within hours at most.
That's a hellva attitude to have.
My karma is not a Chameleon.
Like the other guy said, Sneakers just finished here in the UK, so I immediately thought of that.
But then I thought of the beginning of Terminator 2, where John Connor uses a brute force attack on an ATM using a calculator of some sort.
"I see you have used this ATM before. Would you like me to remember your PIN so you won't have to enter it again?"
Certainly there are security issues with any OS. As long as you stay aware of current threats and stay on top of patching your systems you aren't usually in too much of a jam. In my experience Wells Fargo IT Security is pretty on top of threats and patching.
Regardless of what OS's you have used and like you must admit that OS2 is getting a little long in the tooth these days and really can't be expected to have all the features expected from the modern ATM. Remember these systems are not designed for use by experts and need to be able to read to you (for the blind) possibly change font size for those with eyesight problems, etc. My point is that ATMs are not simple and require a changing dynamic platform. I think that if the engineers at Wells Fargo feel OS2 is no longer able to provide the features they require in their ATMs they should replace it.
I guess the Lunatic fringe is in a tizzy - either your ATM is a Diebold machine or runs Windows.
"I see you have mark a point on your radar. Would you like me to set it as a default attack point?"
I registered JUST for this. On this website it claims: "The San Francisco-based bank said it also installed more than 3,000 online stations in nearly all of its 6,046 branch locations" So, Wells Fargo has done a half-machine job, eh?
Zach is just this guy, you know?
can get the dreaded Blue Screen of DEATH ?
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
Choicepoint selling data to criminals, Bank of America exposing customer data. Windows XP on my ATM. I can't even get Windows XP to work correctly on a Dell specifically designed for it. Don't worry, be happy.
------ Tim O'Brien
There's a Wells Fargo ATM close to where I work, not inside a bank, and the guy who puts the money in it is always accompanied by an armed guard.
I wouldn't trust a bank that had an untrained teller doing that.
Particularly one who is taking instructions from someone over the phone. Yeah, I really trust that system.
What bank do you work for? I want to be sure that I don't have any accounts with it.
Part of security is being correctly trained. An untrained person (problem #1) taking instructions over the phone (problem #2) to service a machine that is "web enabled" (problem #3) is a script for disaster.
First one to install Linux on these machines gets a cookie, not to mention lots of money and some prison time...
To hell in a hand basket my friends, to hell in a hand basket.
Wells Fargo already allows you to do a remarkable amount of banking on the web. I suspect that extending the connectivity to the ATM will allow them to provide services at ATM's that aren't available from other banks. It also allows them to customize the programming themselves, rather than rely on whatever Diebold wants to sell them. I must say, WF ATM's have a more sensible workflow than certain other machines. This matters in places like a university student union building where there might be 100 people lined up to use 4 machines.
As for security, it's 3DES over SSL on a pocket network. Most ATM's use a standard protocol over a CCITT link on a POTS line.
ATMs do millions of transactions a day very accurately (other than Diebold) and these jokers can't make a voting machines accountable?
http://midnightspaghetti.com/newsDiebold.php
~hylas
Also take out the ones that need more then numbers and F-keys to initiate locally.
Give a man a fish, he'll eat for a day, but teach a man to phish...
"Try and search for 0S/2 exploits even with Google. You're not going to find tons."
What's the point of writing an exploit if nobody is going to see it? The market share of OS/2 is so small the culprit would have to a marketing department to advertise the exploit.
I done got poor grammar skills an' I be proud o that.
From what little I know the bsd variants have some of the best security around. It would make far more sense to built them around that. For that matter since when does an atm need to do anything but dispense cash? I _want_ anything involved with my money to be as simple as possible since you cannot secure what you don't fully understand, and if you put all that windows baggage on it well security is the cost. Lets pray they strip it down enough that our money stays put, but I rather doubt it.
Speaking of weird things. I think someone said they were moving to 3DES. The question is why? Sure 3DES is probably secure for awhile, but it would seem to make far more sense to go to a 160 bit version of AES since it at least a complete algorithm. While being able to break DES may not help with 3DES right now, the one is made from 3 of the others and who knows what the future may bring.
I'm sure that a year from now if no security breaches are made, Slashdot will post a story with the title "Most Slashdot posters were wrong, XP based ATMs turned out to be secure after all".
Until someone figures out a hole, bug or crash in the multimedia interface itself that lets them install a keylogger...
Without the camera and auditing system catching them.
Oh, but that's silly. How could someone with only physical access to a machine find out a way to compromise it?
More like why bother installing a keylogger when you can just look over someone's shoulder. And what good does a keylogger do anyway?
They weren't, at least not that I'm aware of. They were DoS'd because of high network activity.
If you need web hosting, you could do worse than here
Well what are the options of a linux solution to this? Can embedded linux be used ATM? Is it reliable enough... if they were willing to make the switch between OS/2 to Windows why not look at OS/2 to Linux?
just imagine, someone installed a keylogger onto just 1 atm machine... the horror!
HD Trailers
Wait, Windows (inferring IE) + money. Why does this seem like a ZDNet story about internet fraud waiting to happen.
If they kept it close to the HTML standards, it should make it possible to switch to a decent machine in the coming years, possibly months.
I prefer the "u" in honour as it seems to be missing these days.
I'm frankly amazed that someone hasn't started emptying ATMs by crashing the software and then convincing the bank that they're the engineer.
From a security standpoint, the less people are involved, the better. The ideal would be for the system to have some diagnostics and monitoring tools. If you're running into an OOM error because some OS bug is causing a memory leak, then the software should be able to handle the problem quite easily on its own.
If and ONLY if manual intervention is required should an engineer be sought, and then they should come armed with the output from said diagnostic and monitoring software, so they can fix the problem.
What I suspect happens in reality is that a guy drives up, waves a card at the people in the office, opens up the ATM, hits a reset button, closes the ATM and drives off. No checks, no verification that the crash wasn't due to something more serious, nothing. If they're called back, maybe - just maybe - they'll swap the motherboard. The old mobo won't be tested or examined, it'll just be put in some storehouse to be used in case another machine breaks down.
The use of "refurbished" (read - rejected by someone else) equiptment is amazing in America. It's never tested adequately, assuming it's ever tested at all.
Frankly, given the choice of relying on a $4/hour tech to maintain the system, or a watchdog card and a decent set of self-diagnostics tools, I'd take the latter. Precisely because it is more secure.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
There is good and bad with this.
The fact is that many banks are doing this switch now. If you are a Wells Fargo customer, be glad they are not using Diebold. These are the ATMs that were shutdown via either SQL slammer or blaster last year. I do not remember which. Diebolds answer to this is not a patch management scheme or to properly write their code. Instead, they now sell a personal firewall for each ATM!
Additionally, Diebold was barred from doing business in California due to their poor practices. http://www.unknownnews.net/031106comvot.html
On the good side. This is a move that must be made. Many on the old ATMs do not encrypt their data at the keypad as is required from Visa standards. With their upgrades, they will.
One should also keep in mind that if these have a proper patch management scheme, and are appropriately firewalled, and have good code, that this is no worse than you doing your banking online. As a matter of fact it is probably safer since their is not outside network gaining direct access.
Windows ATMs are all over the place.
The Windoze enabled ATMs do not dispense more than $640. When asked about it, Bill Gates said, "$640 should be enough for anyone."
Okay... lets start with a warninig... I'm a hardcore Linux Guy...with that said...
Is this the most retarded thing you ever heard?
Okay... OS/2 is.. well... get the archeologists out here to fix the damn thing. But a Windows? Okay I noticed that at my bank (no names here) they use Windows 2000 and Microsoft IE to connect their bank software?. ActiveX enabled!!!! I noticed this a week ago? and my first remark was "How horribly insecure!". Forget the fact that ActiveX is a smoldering pile of &%^ and a breeding ground of holes and security leaks? but one has to figure that if this software is accessed with IE and a Microsoft based network? that the webserver powering this is Microsoft IIS. Which as we all know is about as secure as (pardon the lame pun) a broken window.
Now this loading of ATMs with Windows is sheer stupidity?for the following.
1.) It wants to use TCP/IP
2.) Runs a Webserver for a interface UI (50 bucks says its IIS.)
3.) It uses Microsoft ?extended? protocols.
Now this opens up some huge security holes here. Beyond the obvious? think about this scenario:
Bank ?A? supports Online banking as a in-house service, with local servers. It runs a Windows based network (with teller machines) using IE and IIS for its banking apps. Then it?s interconnected to the ATM machines via the same windows system. Then being Microsoft? all the systems will be interconnected? and extended? Posing one very easy target for script kiddies hackers?.
As soon as a exploit for IIS is found a script kiddie could ?potentially? get access to an ATM via the local network and load his pocket with a ^$$^ load of cash.
No system is ever totally secure? but opening this thing up with Windows is just retarded. Thats my 2 cents!
-Digital Madman
DAVEO agrease with you"re poost!! :)
-DAVEO
I work for a mid size bank and we are doing the same thing. We are getting rid of our OS/2 based ATMs and replacing them with ones that run Windows XP. The ATM software is gonna run in IE in kiosk mode. I don't believe that it is our choice to run this configuration. Our ATM vendor is passing this along to us as the new solution to our ATM needs.
The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!
I suppose they could still buy eComStation licenses if they were eccentric? But support has to be a major concern _now_, much less in a few years.
OS/2 was a great home system for me from '95 through '00 but that was the '90s and it's time to give it up. Training people to maintain it on current hardware would have to be a pain. And the HPFS file system just isn't as robust or secure as NTFS.
LanManager code was the basis for both, and is still the basis for XP (although it has some layers of security built on top of an insecure protocol at this stage). However, on Windows, LanMananager code become integrated with the network stack and security code, causing no end to hacks. I never played with the OS/2 LanManager code, because there was no need to - FTP/Telnet/etc was a better way to go at the time.
"STFU" means "shut the fuck up".
My other car is first.
How about the network cable coming out the back? That would be completely useless to exploit, right?
And the old OS/9 (6809) based ATMs were far faster than these.
They were 8-bit processors at 8MHz or so. Having these new machines be less responsive than those is criminal.
Cue new websites with new pictures of blue screens on atms :D
RebateFX.com - Spread rebates for Forex traders
They threw out the perfectly good older NCR ATMs and replaced most of them with Diebold, except for a branch on El Camino Real that has some new fangled NCR ones.
The Diebold machines are a joke and a half. They are down very often and often en masse, and one time I was afraid it ate my card for about 2 minutes when it went haywire.
When you want to die, do so boldly?
You couldn't hack it in your whole life time without a true input device or somesort of magnetic input or network connection. You'll only have access to the displays they give you. What are you going to do cause a buffer overflow by holding down one of the 10 buttons they give you for input for 2 hours.
What a timely post! Today I got back from a week long contract job and went to deposit some checks at the bank. Well, the local Wells Fargo closes at 4pm and I just missed it by about 10 minutes, so I went to deposit in the ATM. I inserted my card as instructed and voila, a nice windows fatal error message requiring me to click OK, but of course no mouse to click the button with and the Green enter button does nothing. In fact, none of the buttons did anything. Eventually, the ATM rebooted itself and came up with a nice "This ATM is out of service." message, and of course kept my card. So, I called Wells Fargo customer service to find out how long it would take to replace my business ATM card and it's 7-10 business days!!! Ouch! Why exactly am I paying for a business account when I get the same service as for my personal checking account? I don't know. *sigh*
Linux is stable, and can be almost totally secure (only run the things you need, and put a very secure firewall on the box). Linux also has Mozilla/Firefox which should be able to render the same HTML as the Windows Boxes. For less money, and about the same amount of work the ATM company could switch over to linux perfectly fine. Wow, Microsft must have people totally brainwashed, or Linux must really suck at something.
mnewberg.com
When all these Wells Fargo ATM's get the next installment of the blaster worm I sure don't want to have to race the 'countdown to restart' message that comes up while I'm trying to deposit my check and get some cash out before the ATM reboots. By that point my pin and account number will already be tracked and my account will be summarily drained of hard earned finances and I shall run through the streets screaming like a little girl and waving my arms madly.
Comment removed based on user account deletion
If it ain't broken, don't fix it. If an OS/2 based laptop is getting the job done, and there is no value add or return on your investment in running a windows/linux on these laptops... is it really worth it? Plus remember, when a new version of Z/OS comes out, it must support ALL the features of previous versions... the ultimate in backwards compatibility.
These laptops run Communications Manager which in some of its abilities can emulate a 3270 terminal.. (yeah tn3270 does the same thing...)
I use Wells Fargo in SF and have noticed that sometimes there can be a one second delay from when I push a button and when it registers. This started about a year ago. Could this be caused by the fact it is running Windows?
Someone who posts a comment that violates the groupthink (that these new ATMs will cause people to lose money and all sorts of stuff) and gets modded down. I'm so surprised!
Comment removed based on user account deletion
"I'm sure there's a lot of holes that will be created because of this"
I hate to say this... but there already are. It came with the creation.
"Instant gratification takes too long." - Carrie Fisher
now we can hack all those ATM cameras...
Oh well, what the hell...
Back in 1992, IBM and the Ontario Govt. prototyped ServiceOntario kiosks to provide DMV services (license plate sticker renewal and dispensation, address changes, vehicle abstracts, fine payments).
Included digital audio and 30fps video. Special hardware was engineered to dispense license plate stickers. Not sure what the kiosks are running today, but in 1992 Windows couldn't cut it. The kiosks (advanced ATMS really) have won awards and have since been deployed into malls around the province.
Read more about government and self-service kiosks here, including US initiatives. If you think about the nature of transactions being performed, such kiosks must be connected to multiple government networks, yet be located in public spaces. Legal, technical and process innovations were required to make this hybrid device possible.
Presumably the ATM/Windows XP part of the box is *not* connected directly to the network. That there is a VPN box/pair between the ATM and the home networks...
ATM -- VPN -- Internet -- VPN -- Wells Fargo
So the real question is how secure are THOSE boxes...
Try and search for 0S/2 exploits even with Google.
However, if you try searching for OS/2 exploits...
No open ports, no way to exploit it.
I recoded tbe name section of my atm card to <A HREF="sploit.org">. Instead of saying "Hello MORCHEEBA" it'll have a giant link to my server with my hostile activeX ap. But, no open ports, so it's secure.
HIV Crosses Species Barrier... into Muppets
NOW. At the base of MRI's Sonograms, critical monitoring systems, etc is an OS...When Confidence, Integrity, Availability is comprimised with a typical computer system, the loss is measured in downtime, or dollars. When its a base for a life support system, or the system used to interrogate / program a pacemaker, the unit of measure will change.
Patching ATM machines? How wierd is that? As a reference point, think about Bank Of America (BOA). Something like 16000 ATM's taken down due to a virus.
Here is some common sense for all those bright (dim light) Windows Admins out there.
1) Use seperate networks, jackass.
2) Using a 16/32k DDS DS0 to pacth a system that might require 200 meg's in patches is just insane.
3) Based on point 2, look for a different OS.
4) Just because your kids can use the OS doesn't mean that it should be used for an ATM.
As for point 4, my nephew can build a house out of lego's and playdough. I don't see the construction industry rushing to build houses out of the same materal. Hell, the builders would have an easy time scupting a building with a butter knife and playdough.
however, I do recall a recent case brought forth where a man is suing Bank of America? for his own vulnerable system. He had a keylogger on his home PC that was used by a Hacker to abscond with $90,000.00 . I don't know much of the details, but it's interesting.
I find it hilarious that Wells Fargo, one of the
... I can ;-)
first banks in the US, and the subject/victim of
countless stage coach robberies during the Wild
West Era, are converting their (small collection
of) ATMs to run under Winwhatever.
I suggest that they: 1) post at least two shotgun-
wielding gaurds at each station, and 2) get the
posses ready, before they deploy.
And of course, talk to Hollywood ASAP
see a lot of cool remakes of of Westerns coming
to your neighbourhood soon
Invariably, the ATMs have to talk to the Bank's internal network at some point. Even over a VPN, you can have a propagation of a worm... That's how the last little inconvienence against Windows based ATMs happened. The worm got a machine on the inside of the Bank's LAN and propagated to the ATMs that were Windows based- right over the VPN.
It's a big deal. If it's going to be web-based on it's controls, etc., it will have exposed ports.
Simply put, Windows really, really isn't suitable to task for this sort of job. Never was. As far as Microsoft's track record shows, it never will be.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I'm going to be cancelling my accounts at Wells Fargo if I find their new Windows ATMs suck.
...of the big picture. The ATM is not directly connected to the Internet, no. But, how secure is the Wells Fargo end of that picture? We've seen Windows ATMs get zapped by Internet Worms because of infections that somehow get into the corporate LAN of the banks and since the VPN makes it look like the ATMs are on a network segment with the corporate LAN, the Worm gets into the ATMs anyway .
This has all the hallmarks of a BAD idea from the beginning as Windows isn't the right tool for this job no matter how you frame it because it's hopelessly insecure in ways far too numerous to count- and for financial transactions accuracy is job one and security is job two. I can believe that the ATM program works on the first nicely enough- it's not hard to do that sort of thing, really. I can't believe that they deal with #2 in ANY manner- not while you're building a fortress on a foundation of shifting sands.
Better to use QNX, Lynx, RTEMS, or even OpenBSD or Linux than Windows. Much less shifting sands there.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Not trying to be a Microsoft cheerleader, but I'm not sure the issue with a Windows ATM. If they're already using M$ for web servers, and you're using M$ to access their site, that's basically the same risk....
Actually it's probably more risk, because I vaguely remember something that happens when I go an ATM - I put a freakin' card in the machine!
Why cut IT when your office space costs $3/sf? gibso
has Windows powered ticket vending machines. I stopped using them completely when one crashed just after my Visa card had been debited and before I got my tickets. This is NT4 powerd
My bank has W2000 ATM and it blue screens at least twice a week.
realkiwi
All it would take is one engineers laptop infected with an undetected or 0-day worm and the whole game is over.
Here in the UK we have dozens of different screens in town and city centres displaying the blue screen of death or some other nice Windows GUI popup... be it in the ATM you were about to use , or the shopping centre plasma display screens, train station concourse etc.
not funny. not funny at all.
Windows Embedded refers either to Windows CE or to Windows XP Embedded. They are almost certainly going to be running Windows XP Embedded on these machines. That is basically your normal Windows XP with a different licensing agreement that gives you more options for customizing it: it's mostly the same codebase, it mostly has the same problems (security and otherwise).
The Swedish bank FSB has been using Windows (NT) based ATM machines for a long time now. Probably a very stripped down version, but no matter how stripped down it is, you'll still get Windows error messages.
I can surf the web, play games, and
constantly watch my back for that brass-knuckles
welding hoodlum all at the same time!
Well, yes and no, assuming the XP system is stable enough to stay up and not crash in some unknown state leaving it possibly vulnerable to simple hacks from the keyboard.
I wonder if you could manage a buffer overflow exploit from a mag-stripe?
They make ATMS don't they? And no-one else would be stupid enough to put them on a public network when it is so easy to put them on a private network like we have now. How many dollars per machine do you need to save before it offsets the PR loss when the media reports instances of your machines getting owned? I suspect they won't be saving much at all per machine by putting them on the public network. If this sort of stupidity continues those bad movies about hackers getting into systems that should never be on a public network may become reality.
They must be kidding to use the deprecated Microsoft Windows "OS" for ATMs! Bad idea and... very very very bad idea!...
If I was doing it and had to use windows and a PC, I would strip down the system of everything that doesn't have to be there and install a firewall and VPN card (there's embedded linux boxes on PCI card that make decent firewalls with a couple of types of VPN) which costs less than a standard windows licence, and use it to filter the VPN vigorously and let nothing else in. Obviously that is not done or they wouldn't have got a worm in their machines, and they wouldn't have had studnets playing Talking Heads samples in media player on one of their ATMs.
I wouldn't blame Microsoft for a braindead management decision - MS sell an embedded OS for purposes like this, so the decision most likely came from someone at Diebold. I'll bet the bank is being treated as a cash cow and is shelling out a fortune for these repackaged PCs.
...is very old news... seen it for 4 or 5 years now...
...and Web enabled != Internet connected
...and the connection is a "closed group" ADSL, the other end of the ADSL is not connected to the Internet but to other ATM's and to the bank.
...and yes, that means that a worm in the bank will close several if not all ATM's
There's more than Linux with a high maintenance contract...
Oh man... you actually read MS-funded blogs like that? You're just giving Bill hitcounters to gloat over.
The biggest security threat to Automatic Teller Machines comes from those that service them. From the installers, to the guards that load them with money, these folks are the ones stealing money and identities.
If you, as a supervisor, fail to perform background checks, you may find yourself missing a whole bunch of money. And the security guards will tell you "Aw, these Diebold machines always count wrong" as they pocket thirty bills per week.
Have you Meta Moderated t
... with a card thing so we can get some spare change from the atm machines... nothing like terminator 2
it doesn't really affect me, as I'm up here in the frozen North (Canada to you guys...) but it DOES worry me quite a bit. The powers that be in Canada have to be some of the stupidest peeps I've run across, and running Windows (in ANY version) across an ATM network would be ludicrious... not only are our (majority of) IT prof's able to deal with the expected -- nay, required -- complications, but neither are they competent enough to ensure the safety of the people and monies involved. Let's stop this now, and NOT let Windows into our environment, without the capable and reliable solutions that we need.
When the going gets weird, the weird turn pro. ~~ Hunter S. Thompson
You download mp3's on the atm and they get a complete audit trail with your account details
yay!
Woohoo
The ATM makers are making themselves obsolete. By providing low security publicly accessible terminals running windows, they've made them less secure than your home computer doing internet banking. Because, at least when it's in your house, you can do some due diligence in ensuring that your computer is secure. The only reason for ATMs is for getting money. Which is of minimal importance when just about everyone accepts bank cards for payment. You could even visit the bank once a week and take out cash for those smaller transactions where you can't use the bank card.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
US banks are going to start using ziplock bags instead of safety deposit boxes and "very strong wooden boxes" locked with Master brand locks instead of vaults. And instead of expensive security vans to transport money, they'll be using bike curriers. More news as it develops.
If someone says he and his monkey have nothing to hide, they almost certainly do.
The Otto-ATMs in Finland have been running Windows NT 4 for years. AFAIK, the UI itself is a Java-applet running in Internet Explorer.
And yes, I've seen the IE on them crash, leaving the standard NT4 desktop, error dialog, and a command prompt window.
Scary.
Well, you're right of course. But to me, Diebold's popularity with the banking/credit industries is just one more indication of the contempt with which those industries hold their customers. It's not hard to hire an outside engineering firm to audit a supplier's designs. Was that done with Diebold's equipment? You would think that an organization as conservative and nominally responsible as a bank would insist upon it. Maybe they do ... but I find it hard to imagine that any reputable firm would have given Diebold a pass on their Windows-based designs.
One can't help but think that this is a tip-of-the-iceberg situation. Diebold provides consumer-interface equipment (and has been in the public's eye over their voting machine fiasco) so naturally it will receive more attention than all the behind-the-scenes communications technology and other services that make ATMs work. How truly secure (or otherwise) those systems are is anyone's guess. If there was ever a place for rigorous Federal quality-of-service standards this is it. The phone system used to be regulated and had to maintain a specified QOS or get penalized, but I don't know if there's anything similar in the banking world. If not, there probably ought to be. I'm not ordinarily one who is for more government involvement in anything, but honestly what else has the power to make these organizations clean up their act? Obviously, us poor consumers can't do jack, since we're getting screwed by the ChoicePoints on the one hand and the Diebolds on the other. Equally obviously, until our current administration leaves office nothing will happen either.
I think the big problem is that banks and credit card issues are willing to tolerate a certain level of fraud, a certain amount of "collateral damage" (i.e., us) before they will make any concerted effort to improve. My understanding is that they pay their insurers to cover their losses due to fraud and don't worry themselves too much about it.
The higher the technology, the sharper that two-edged sword.
For the popup ads during my ATM transaction! Can you imagine the joy of the marketing deparment when you can just push this button and it will automatically deduct the funds and ship to your address on file!?
I'm going to change my savings to gold now.
Yes, but the computers that the bank uses to control the things may be. You just need to infect them to do bad things to the ATM's.
...the straw-man that broke the camel's back?
because it was mostly written in C as opposed to the mostly (all?) assembly that OS/2 was written in. In addition, when an early version of NT would crash (didn't happen very often - it was pretty bullet proof compared to the other Windows versions) sometimes the errors still said "OS/2 error..."
This fits right in with the rigid Wells Fargos "take a penny, leave a penny" company policy.
(truthy) not long after refinancing w/ WF, we got a letter saying our mortgage records were on a laptop that was stolen from WF and would we like to buy mortgage insurance to prevent fraud ?
yeah - sure. riiiiiight.
Mmmmmm - That's mighty good bungling Wells Fargo !
Not trying to be flamebait, but aren't most of the new windows-based vulnerabiities through email attachments (and people who continually open/execute them?) or flaws in the IE browser? If this is a version of windows that is well patched, RPC and other extraneous services are disabled, uses a personal firewall, is it really going to be that vulnerable?
ATMs (in Canada and I'm assuming the US) run on a private X.25 network. Moving off OS2 to windows or linux or BeOS should make no difference as to their security as these boxes are seriously locked down and disabled to the point that they'll only communicate with boxes that they're set to communicate with.
You might get the BSoD now and again but they should be pretty secure.
I applied for a computer security consultant job for Wells Fargo a while ago and never got it. Lets pretend I got the job, and I'm talking to the guy that's telling me they're going to do this:
"Okay, how can I put this so you completely understand me... You plan to put Windows on ATM machines, use a universal protocol standard, and then hook it up to the internet? Okay, how do I begin... this is a REALLY STUPID IDEA. This is an INCREDIBLY DUMB IDEA. You WILL get hacked. You -WILL- destroy the credibility of your bank. And to top it off, it will cost a ridiculous amount of money. Any questions?"
I'm in the process of starting my own Security Consulting company right now because I got sick of looking for jobs, so when they get completely hacked maybe they'll contract me to fix it. I'm not immediately sure what I'd recommend instead, it's definetely something you should put a lot of thought into, but Windows is definetely the wrong direction here. You don't use the second most hacked system on the internet to secure your bank transfers.
I was involved in a OS/2 Migration for a Canadian bank. The business was shocked when they found out it was going to cost them 2 million more a year to support the windows infrastructure. In particular more full time staff were required for Active Directory management, security, and new version of the software for ATM management was required(Pegasus).
From some research I did a while ago the Windows has an api for financial peripherals. In particular the cash feeding machine (the guts of the device). Java also has a similar api. No such thing exists for python - but I suppose you could use Jython.
exactly!!! The fanboys need to get more experience in this field before they latch onto linux or some other false tech savior. Any and all os's are vulnerable, people invented tech so therefore people can hack tech, it's that simple. Too bad geeks do not compute when it comes to the common sense bigger picture.
ok then what would you use smartguy!! Linux, OS/2 they're just as hackable goof ball!! Give a hacker time and access and anything programmed is hackable. You must be jealous of Gates bigtime. I'm no Gates fan but I do know what hacking is and what it takes..
but I'm (still) a Wells Fargo customer!
hmmm.....
I used to work for Scientific-Atlanta, and a people used to complain all of the time about delays between pressing the channel change button and the channel actually changing. That wasn't the fault of the cable company or the cable box maker. It was because with the crappy new digital channels (hello idiots, video is analog!), you have to wait until you receive a key frame before you can start showing the picture. Every digital (crap) compression (synonym for throwing most of the data in the garbage) algorithm has this problem. Analog is still the media of choice for video, just as it is for high-end audio.
it's not April 1st already, is it?
1. Great idea. It will have more than just a few problems.
2. Don't set these things up in Germany. They'll be hacked by guys in high speed trains.
You mentioned from the input on the ATM is what you implied with your post about the college terminals. If you are talking through the network port than yeah I don't disagree that it is hackable. But any type of system with a network connection is hackable.
All I can say is I don't have any account with them... And it's a really, really good thing.
On the bright side, we probably won't be seeing many more phishing exploits from the Russian hackers now that they have a more lucrative target.
An engineer who ran for Congress. http://herbrobinson.us
"Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box."
Ah, problem is that drives had exceeded the size limits in the mean time. But the original poster knew that I suppose. Even Linux and Windows had to create new drivers to support the newer drives.
> Try the Danis506 drivers, et even has got some SATA support.
If you need newer drivers for those bigger disks (in 10 years something changed) perhaps IBM would supply them to you for free. But better is of course the free DANI drivers mentioned here. But where to get them? Of course a t the great Hobbes.NMSU.EDU OS/2 repository.
> eComStation runs rather nice om my 1.8Ghz Athlon XP - Barton box, especially with the new kernel.
Perhaps we need to explain what eComStation (eCS for short) is. It is a workstation OS build on (and improved from) OS/2 under an license agreement with IBM by Serenity. It can be found at www.eComStation.com of course. And bought at various places, i.e. www.Mensys.NL.
best regards
from Leeuwarden
Peter van Dobben de Bruijn
(p.s. I am definitively not an "anonymous coward" just trying to save my energy and time by not creating a special account just for this one time intervention).
Comment removed based on user account deletion
I have quit using ATM's altogether for a number of reasons. One of the main reasons is that I have found it easier to manage my finances by using a credit card to pay for everything(even groceries) as there are many CC's out there that give you miles/reward points for purchases. Also with credit cards you don't get change back and your risk of loss is less if the card number is compromised.
I take my paycheck and use part of that to pay off the balance on the CC each month. So I never need to look for an ATM and don't have cash in my pocket or pile up change.
Also, the risk to your account is actually greater from the cons who have developed the devices which they attach either to the front of the card slot or actually within the machine that grabs your card number while you are transacting and is invisible to you. Then they take the card numbers and spend...I don't have the links on hand right now but there have been many documented instances of this. Essentially, I don't believe that ATM's are secure at their sites or through their network connections.
"Lack of technical competence coupled with the arrogance of power, as usual, leads to no good end."
The windows bashing crowd has come out in force for this article. Any OS that is left open will be exploited. My FC 3 box got r00ted within 3 days of being connected to the internet. Granted it was my mistake that allowed it to happen. Take the article at face value and learn something from it. In next 10 years I wager that 95% of the ATMs out there will be windows based. Bitch all you want about it but you will still be getting your money from it. And who knows maybe the federal government will then take aim at MS and the hackers for being stupid about things.
My Doom. The gift that keeps on giving
I thought the article was about how legacy OS/2 ATMs were being switched out with (shudder) Windows XP/web based equipment--from a company notorious for the shoddy quality of its voting machines. Where does Linux come into the picture.
Quite frankly, it isn't the fact that WinXP is the OS that primarily scares me. What scares me more is
* These machines will be web based, possibly connected to a public network. Even if they utilise a VPN, the fact that a machine that gives me money and updates my account balances could be on the same network as some dense 2nd-assistant bank manager that opens all attachments marked "joke". It also bothers me that overworked IT staff of questionable competency are responsible for making sure the VPNs/firewalls/etc are correctly configured.
* Banks that harbour this herd mentality and all implement the same platform, from the same small handful of companies. It's true that no platform is completely secure, but if there is only a single platform then one hack can take out everything. You make this point yourself--if Linux had 90% marketshare then it would be a primary target too. Fact is, however, that even within the Linux platform there is healthy diversity--there are a multitude of choices in distros, window managers, applications, etc. In a Microsoft-only shop, there is one OS, one dominant browser, one dominant office suite.
* Diebold has been notoriously opaque about its development practices. It had to be cajoled into letting 3rd parties examine its election equipment, and to my knowledge no agency (banks, government or otherwise) has driven them to have their code vetted by a 3rd party. Open source by definition allows any interested party to examine the inner workings of a system, however closed systems can be opened to a limited amount of 3rd party examination too (Microsoft even has "shared source). It'd be nice if Diebold was known to be as open and forthcoming as even Microsoft.
If the general public were fully aware of the direction banks were going with their ATMs they would be very uncomfortable. Windows, IE and the web already have a reputation for being dangerous enough to make people cautious about online shopping. If the same nasties that foul up Joe Uesr's PCs start making ATMs die with increasing frequency it'll be a disaster. In Canada at least, major nationwide disruptions in banking service due to "upgrades" have already angered the public. The last thing we need is for the special "embedded IE" to crash and leave inoperative ATMs at the "start" button and such things.
And no, this isn't the "linux fanboy" in me talking. This is me looking at the situation with a critical eye. This "modern" Windows-and-IE based solution has a shoddy track record to this day. At the airport, for example, the screens showing arrivals and departures or what flight was unloading onto what baggage carousel, NEVER, EVER used to crash. They were plain-looking, colour-but-text-only displays driven by who-knows-what platform (UNIX, OS/2, maybe even DOS?), but they did the job without issue. Now, we have very fancy flat screens with beautifully rendered displays, but if you fly frequently it is quite a bit more common to see one of these systems betray their Windows roots with "access violations" and start menus, login screens and the rare BSOD.
The result atht he airport is amusing at best and slightly annoying at worst (gotta find another screen to see how long your flight is delayed maybe). On an ATM however, it makes one worry--what if it crashes after I hit "OK" but before I get my money? What if it doesnt give me a receipt before it crashes? Is my balance still OK? With web-based banking at home, I can reboot and log-in again to see where it left off. At an ATM, I don't have the login or even a real keyboard to do that. If these are indeed WEB ATMs, what kind of mechanism is there to ensure data integrity/atomicity and give feedback to the user should there be a problem with the browser?
There is a time and a place for this platform...ATMs are not one of them.