Wells Fargo Web-Enables ATMs

smooth wombat writes "Wells Fargo has completed a five-year project to Web-enable its 6,200 ATMs in 23 states. Now the ATMS will be Windows based rather than OS/2 based. Avivah Litan, an analyst at Gartner Inc., in Stamford, Conn., said the move to Windows-based systems is "not great news for the security of the system. I'm sure there's a lot of holes that will be created because of this.""

Re:was a change required?

[ceejayoz]

No one sells 'em anymore, at least not in the quantities Wells-Fargo needs.

Re:choice quote

It's a ridiclous story. Using a SOAP/XML-based protocol is not "web enabling".

Re:Not a good thing for bank users ....

[man_of_mr_e]

While it's unlikely that these machines are actually on the internet, but if they are it's probably not a big deal anyways. They'd likely be using some kind of hardware VPN, and even if they weren't they are most likely shutting off all external ports other than their own software, making it no more vulnerable than any other OS they might choose. No open ports, no way to exploit it.

Re:Yes, but...

[afidel]

Uh, no Windows XP Embedded is EXACTLY the same code base as Windows XP. It's basically a componentized version of Windows PE, much along the lines of what the community did with Bart's PE. Now if they were using Windows CE.net THEN it would be a different code base, but many DCOM components for CE.net share source code with their windows counterparts so running on x86 hardware means that many of the same exploits may exist. Now if Wells Fargo knows what they are doing there won't be any unnecessary services installed, but the way the component selection engine for XP Embedded works means that things like the IE engine get dragged into almost any usefull selection, meaning that all sorts of vulnarabilies exist.

Re:os/2 everywhere

[WillerZ]

The reason OS/2 hasn't been EOL'd yet is that you need an OS/2 box if you want to start a mainframe (you can IPL it from the terminal, but to get from powered-off to powered-on you need OS/2). At least up to 2003 if you bought a zSeries box you got 2 OS/2 thinkpads inside it on shelves (I haven't poked around in any of our newer zSeries kit).

For the curious, they're needed to tell each zSeries processor what it is. This isn't as dumb as it sounds, because each of the 16 processors can do one of 4 tasks depending on the microcode you load into it.

You need a fairly dependable OS for this job, and when I last asked them they didn't trust Windows or Linux to do it right.

Yet somehow, it does.

[mcc]

Existing Windows XP embedded based ATMs, made by Diebold, have already been effected by Windows XP-targetting worms. This should be sufficient to demonstrate that the code bases at least share whatever code caused vulnerability to the Nachi worm. The obvious question then becomes, if and when further holes in Windows XP are discovered, what happens if they too are in the code shared with Windows XP Embedded?

I mean, it's just an awfully funny coincidence that the sudden emergence of the term "cyber-crime" in connection with ATMs just happens, after all these years of computer ATMs, to coincide with the introduction of Windows based ATMs.

And I somehow suspect that in five years, when WinXPEmbedded ATMs are everywhere, if anyone observes it as odd that how ATMs suddenly have a security track record now, we'll have people saying "oh that's just part of the technology, there's nothing you can do about it, it would be the same with any other vendor"...

Hacker takes 3 minutes to get your cash

[rimu+guy]

And in a not unrelated story: Hacker takes 3 minutes to get your cash

A New Zealand computer hacker has accessed the private bank accounts of dozens of unsuspecting Kiwis, showing how easy it is to break into our internet banking system.

The hacker installed software in a Wellington internet cafe that allowed him to gather the user names and passwords of people banking online at the cafe.

Police e-crime national manager Maarten Kleintjes says he has been urging banks "for years" to introduce systems that ensure internet banking is safe, but most have been slow to respond.

Kleintjes says the problem is that internet banking access relies on a simple password "which can easily be stolen". Other countries use "two-factor identification" where, in addition to a password, the customer is given a new security password for each internet banking session.

Only two local banks, ASB and BankDirect, have a two-part identification system, where the customer is sent a text with a security password to use before transferring money.

Online bankers can follow the advice on bank websites about using anti-virus software to detect and avoid key-logging programmes on home computers, but the software provides no guarantees. Kleintjes says it is "unreasonable and unrealistic" to expect all customers to know how to do this. He said the banks should introduce safe systems that have been available overseas for years.

--
Linux VPS Hosting you can Bank On

Re:was a change required?

[Deviate_X]

IBM recommends OS/2 users migrate off OS/2 to either Linux or Windows 2000. Thats whats wrong with it, probably nothing technically (yes OS/2 developers are relics), more comercial.

Given than Wells Fargo, is a substatial entity, it would be interesting and credible to know how/why they decided to go the windows route since it is possible to maintain a large number networked Linux nodes for remote updates/admin as is cited in the article about windows.

Are windows embedded ATMs really the only game in town?

Re:was a change required?

[rsmoody]

I asked that myself when the bank I work for started upgrading our ATM's to 3DES. Some are still OS/2 but some are windows bassed. And it uses regular Windows, not embeded, it's straight Windows 2000. To tell you the truth, I acutally liked the Windows based ATM. From a stand point of having to hold the tellers hand over the phone because they are not trained properly, it makes it easier on us because the Windows ATM actually have help screens and short movie clips that can walk the undertrained (read stupid) teller through the proceedure of properly inserting a cassette of money (as if it were that difficult). The OS/2 ATMs are only character menu driven, the Windows ATM's are all graphical. The actual screens the customer sees are actually web pages so it's easy to make them look how you want and not be a programmer.

Re:was a change required?

I work for a financial services provider that has about 100 ATMs in the field. They're from Diebold, and up until very recently, they ran OS/2. Why'd we switch? Well, first of all, Diebold does not provide NEW machines that run anything other than Windows, so if you are doing a major deployment, and you buy from Diebold, you're getting Windows. Second of all, the industry is moving to 3DES at gunpoint (that gun wielded by our friends at Visa and MasterCard) and Diebold only supports 3DES on Windows-based ATMs.
Now, it's true that you don't have to TCP/IP-connect a Windows-based ATM, you can operate it solely over SNA or SDLC or whatever you have -- but if you do you don't get all the features of the ATM, and not just the annoying things like HTML-based UI -- you don't get the handy stuff like remote management which means that you spend $$ sending humans out to the site rather than just doing task 'x' from your network.

My bank is doing the same thing...

[plazman30]

I work for a mid size bank and we are doing the same thing. We are getting rid of our OS/2 based ATMs and replacing them with ones that run Windows XP. The ATM software is gonna run in IE in kiosk mode. I don't believe that it is our choice to run this configuration. Our ATM vendor is passing this along to us as the new solution to our ATM needs.

The patch management of these things is really becoming a nightmare, and we haven't even rolled them out yet!