Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wells Fargo Web-Enables ATMs

Posted by Zonk on from the free-money dept.

smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""

26 of 576 comments (clear)

  1. Yes, but... by xeon4life · · Score: 3, Informative

    They're going to use Windows Embedded, not Windows XP. Two completely different code bases.

    Just because one has security issues does not mean the other will too.

    --
    Real programmers can write assembly code in any language. -- Larry Wall
    1. Re:Yes, but... by afidel · · Score: 4, Informative

      Uh, no Windows XP Embedded is EXACTLY the same code base as Windows XP. It's basically a componentized version of Windows PE, much along the lines of what the community did with Bart's PE. Now if they were using Windows CE.net THEN it would be a different code base, but many DCOM components for CE.net share source code with their windows counterparts so running on x86 hardware means that many of the same exploits may exist. Now if Wells Fargo knows what they are doing there won't be any unnecessary services installed, but the way the component selection engine for XP Embedded works means that things like the IE engine get dragged into almost any usefull selection, meaning that all sorts of vulnarabilies exist.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:Yes, but... by Anonymous Coward · · Score: 2, Informative

      Uh, almost right.

      Windows XP Embedded is exactly the same codebase as Windows XP, and is a componentized version of same. It is completely unrelated to either Windows PE (nee WinPE) or "BartPE". WinPE has nothing to do with XP Embedded. BartPE is simply a reverse engineering of WinPE - and as such also has nothing to do with XP Embedded.

      CE and NT forked source so long ago that undoubtedly many of the exploits that are in XP aren't in CE. And vice versa...

      It's also less about the way the component selection engine works, and more the fact that IE over time has actually established dependencies throughout the OS that numerous components do pull in IE. But it isn't rocket science to build a device image that would meet the needs of a simple ATM and not have IE in it. Quite easy, actually.

    3. Re:Yes, but... by zootm · · Score: 2, Informative

      It seems unlikely that an ATM would be designed, or allowed, to run code which was not provided by those in charge of the ATM. The rendering engine is not a problem in this instance -- you're rendering code you've written yourself. These are not web browsers we're talking about, the application is much thinner.

  2. Re:was a change required? by ceejayoz · · Score: 5, Informative

    No one sells 'em anymore, at least not in the quantities Wells-Fargo needs.

  3. Re:choice quote by Anonymous Coward · · Score: 4, Informative

    It's a ridiclous story. Using a SOAP/XML-based protocol is not "web enabling".

  4. Re:Not a good thing for bank users .... by man_of_mr_e · · Score: 4, Informative

    While it's unlikely that these machines are actually on the internet, but if they are it's probably not a big deal anyways. They'd likely be using some kind of hardware VPN, and even if they weren't they are most likely shutting off all external ports other than their own software, making it no more vulnerable than any other OS they might choose. No open ports, no way to exploit it.

    --
    If you need web hosting, you could do worse than here
  5. Re:os/2 everywhere by WillerZ · · Score: 5, Informative

    The reason OS/2 hasn't been EOL'd yet is that you need an OS/2 box if you want to start a mainframe (you can IPL it from the terminal, but to get from powered-off to powered-on you need OS/2). At least up to 2003 if you bought a zSeries box you got 2 OS/2 thinkpads inside it on shelves (I haven't poked around in any of our newer zSeries kit).

    For the curious, they're needed to tell each zSeries processor what it is. This isn't as dumb as it sounds, because each of the 16 processors can do one of 4 tasks depending on the microcode you load into it.

    You need a fairly dependable OS for this job, and when I last asked them they didn't trust Windows or Linux to do it right.

    --
    I guess today is a passable day to die.
  6. Learn to write. by Anonymous Coward · · Score: 1, Informative

    "An ATM doesn't have to be on "the net" to do that. It has to communicate to the central handling server regardless of it's OS."

    "It's" means "it is".

  7. Digging Deeper... by ploss · · Score: 2, Informative
    Here's a link to their Press Release: Wells Fargo: All ATMs Now Web-Enabled, All Banking Stores With Online Stations (from March 1st)

    And a tidbit about some new features:

    Wells Fargo's webATM(R) machines feature six language screen options; customizable fast-cash amounts and MyATM(R) receipt preferences; access to 22 financial accounts; the highest level of security; and colorful, large font touch-screens that make it easier to navigate from screen to screen.
    --
    What are the odds that some idiot will name his mutex ether-rot-mutex!
  8. Re:tested by Anonymous Coward · · Score: 1, Informative

    "And finally who will be responsible if people loose precious money because of some kid running a 10 line worm?"

    "Lose" is the opposite of "gain" (or "win").
    "Loose" is the opposite of "tight".
    You should have learned this somewhere around third grade.

  9. Yet somehow, it does. by mcc · · Score: 5, Informative

    Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?

    I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.

    And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...

    --
    Irritable, left-wing and possibly humorous bumper stickers and t-shirts
  10. Re:s-l-o-w ATM keypad by Anonymous Coward · · Score: 1, Informative

    Bank of America "upgraded" their ATMs to surround their interface with graphics, and to add animated movies (with sound!) between operations.

    But recently they came to their senses. Now it's big white letters over a black background (like an old terminal), no cruft. Maybe this was caused by the elderly who had problems parsing all these pixels, but anyway, thank you for reverting to an old fashioned ATM. But how much money was wasted on the eye-candy experiment?

  11. Hacker takes 3 minutes to get your cash by rimu+guy · · Score: 4, Informative

    And in a not unrelated story: Hacker takes 3 minutes to get your cash

    A New Zealand computer hacker has accessed the private bank accounts of dozens of unsuspecting Kiwis, showing how easy it is to break into our internet banking system.

    The hacker installed software in a Wellington internet cafe that allowed him to gather the user names and passwords of people banking online at the cafe.

    Police e-crime national manager Maarten Kleintjes says he has been urging banks "for years" to introduce systems that ensure internet banking is safe, but most have been slow to respond.

    Kleintjes says the problem is that internet banking access relies on a simple password "which can easily be stolen". Other countries use "two-factor identification" where, in addition to a password, the customer is given a new security password for each internet banking session.

    Only two local banks, ASB and BankDirect, have a two-part identification system, where the customer is sent a text with a security password to use before transferring money.

    Online bankers can follow the advice on bank websites about using anti-virus software to detect and avoid key-logging programmes on home computers, but the software provides no guarantees. Kleintjes says it is "unreasonable and unrealistic" to expect all customers to know how to do this. He said the banks should introduce safe systems that have been available overseas for years.

    --
    Linux VPS Hosting you can Bank On

  12. Re:I think the rhetoric is a bit overheated. by PHAEDRU5 · · Score: 2, Informative

    Well, to me it looks like they've got a thin client in front of a J2EE backend.

    I think their excitement is the new communications infrastructure: the fact that updates via a teller can immediately be checked on the ATM. They're really happy over their new SOAP/J2EE bits. Of course, all the user sees is the ATM, so it's the only drum they have to bang. They might as well bang it for all they're worth.

    --
    668: Neighbour of the Beast
  13. Re:was a change required? by Deviate_X · · Score: 4, Informative
    IBM recommends OS/2 users migrate off OS/2 to either Linux or Windows 2000. Thats whats wrong with it, probably nothing technically (yes OS/2 developers are relics), more comercial.

    Given than Wells Fargo, is a substatial entity, it would be interesting and credible to know how/why they decided to go the windows route since it is possible to maintain a large number networked Linux nodes for remote updates/admin as is cited in the article about windows.

    Are windows embedded ATMs really the only game in town?

  14. Re:was a change required? by rsmoody · · Score: 5, Informative

    I asked that myself when the bank I work for started upgrading our ATM's to 3DES. Some are still OS/2 but some are windows bassed. And it uses regular Windows, not embeded, it's straight Windows 2000. To tell you the truth, I acutally liked the Windows based ATM. From a stand point of having to hold the tellers hand over the phone because they are not trained properly, it makes it easier on us because the Windows ATM actually have help screens and short movie clips that can walk the undertrained (read stupid) teller through the proceedure of properly inserting a cassette of money (as if it were that difficult). The OS/2 ATMs are only character menu driven, the Windows ATM's are all graphical. The actual screens the customer sees are actually web pages so it's easy to make them look how you want and not be a programmer.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  15. Re:Netscape by generic-man · · Score: 3, Informative

    Diebold has been making ATMs long before they acquired a company that makes voting machines.

    Of course, their old ATMs were relatively reliable although they couldn't run Windows Media Player.

    --
    For more information, click here.
  16. Re:was a change required? by Anonymous Coward · · Score: 5, Informative

    I work for a financial services provider that has about 100 ATMs in the field. They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch? Well, first of all, Diebold does not provide NEW machines that run anything other than Windows, so if you are doing a major deployment, and you buy from Diebold, you're getting Windows. Second of all, the industry is moving to 3DES at gunpoint (that gun wielded by our friends at Visa and MasterCard) and Diebold only supports 3DES on Windows-based ATMs.
    Now, it's true that you don't have to TCP/IP-connect a Windows-based ATM, you can operate it solely over SNA or SDLC or whatever you have -- but if you do you don't get all the features of the ATM, and not just the annoying things like HTML-based UI -- you don't get the handy stuff like remote management which means that you spend $$ sending humans out to the site rather than just doing task 'x' from your network.

  17. Re:s-l-o-w ATM keypad by markxz · · Score: 2, Informative

    Dunno about Wells Fargo, but all the banks in the UK have been going to these "richer client experience" terminals.

    This is most noticeable on the older ATMs that were upgraded to newer animated software (The Clydesdale Bank machines seem to be the worst) where there is a noticeable time lag between button presses.

    I think part of the slowness is due to the new 'chip and pin' bank cards in which the machine has to talk to the chip, rather than just read the data from the card.

  18. WF Already Firmly Web-Based by Anonymous Coward · · Score: 1, Informative

    Wells Fargo already allows you to do a remarkable amount of banking on the web. I suspect that extending the connectivity to the ATM will allow them to provide services at ATM's that aren't available from other banks. It also allows them to customize the programming themselves, rather than rely on whatever Diebold wants to sell them. I must say, WF ATM's have a more sensible workflow than certain other machines. This matters in places like a university student union building where there might be 100 people lined up to use 4 machines.

    As for security, it's 3DES over SSL on a pocket network. Most ATM's use a standard protocol over a CCITT link on a POTS line.

  19. Re:was a change required? by Flywheel · · Score: 3, Informative

    "Ahh, OS/2, I miss it. The last time I whipped out my OS/2 Warp disks and tried to install it, it didn't seem to like my 10 years newer hardware and couldn't find a HDD driver. Bummer. I can only imagine how fast it would have run on my 2GHz box."

    Try the Danis506 drivers, et even has got some SATA support. eComStation runs rather nice om my 1.8Ghz Athlon XP - Barton box, especially with the new kernel.

    --
    Live long and prosper...
  20. My bank is doing the same thing... by plazman30 · · Score: 4, Informative

    I work for a mid size bank and we are doing the same thing. We are getting rid of our OS/2 based ATMs and replacing them with ones that run Windows XP. The ATM software is gonna run in IE in kiosk mode. I don't believe that it is our choice to run this configuration. Our ATM vendor is passing this along to us as the new solution to our ATM needs.

    The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!

  21. Re:was a change required? by Flywheel · · Score: 2, Informative

    Well actually OS/2 does have support for and uses a graphical user interface today - somehow it shuld be possible to add animations and graphical multicolour menus ... well I'll return to my DVD watching, on my eComStation (OS/2) box.

    --
    Live long and prosper...
  22. Re:Crashed ATM by v1 · · Score: 2, Informative

    Try this one at home, kids. Go to your local ATM, feed it your card. (ok, you're brave now) Pin in. Select Transfer, Savings to Checking. Now when it asks for how much, put 0. Yes, zero. Like I did when I realized I didn't know how much I had in savings. (and it doesn't tell you what your limit is... nerf?)

    At several banks here in town, you get a ticket that says "Amount error #13", your card pops out, (thankfully!) and "TEMPORARILY OUT OF SERVICE" pops up on the display.

    Whoopsie!

    --
    I work for the Department of Redundancy Department.
  23. ServiceOntario Kiosks by persaud · · Score: 2, Informative

    Back in 1992, IBM and the Ontario Govt. prototyped ServiceOntario kiosks to provide DMV services (license plate sticker renewal and dispensation, address changes, vehicle abstracts, fine payments).

    Included digital audio and 30fps video. Special hardware was engineered to dispense license plate stickers. Not sure what the kiosks are running today, but in 1992 Windows couldn't cut it. The kiosks (advanced ATMS really) have won awards and have since been deployed into malls around the province.

    Read more about government and self-service kiosks here, including US initiatives. If you think about the nature of transactions being performed, such kiosks must be connected to multiple government networks, yet be located in public spaces. Legal, technical and process innovations were required to make this hybrid device possible.